Want to Protect Data? Comply with Government Rules

Complying with government regulations is a great way to protect your company's data. That's the conclusion of a new report finding a direct correlation between a company's compliance record and its ability to protect sensitive data.

Companies that perform well in compliance audits also excel at protecting their data, according to the study, released today by the IT Policy Compliance Group, a Cleveland-based research firm. By contrast, companies that performed poorly on regulatory audits tend to have the worst data protection records.

"The results were definitely surprising," said Jim Hurley, the research firm's managing editor. "Until last year there was nothing in the quarterly data we collected to suggest such a relationship existed." But the two-year historical data showed an undeniable relationship between compliance success and data protection, he says.

The study, based on data collected from 2,000 companies of varying revenue sizes, and on publicly reported data losses and thefts, was sponsored by compliance and security trade associations and compliance and security software vendors.

Companies with two or fewer compliance deficiencies annually are likely to have two or fewer data losses or thefts in the same time period, according to the report. Conversely, organizations that lag when it comes to compliance (10 or more deficiencies in a year) are likely to experience data loss more than a dozen times annually.

The reason for the correlation, Hurley says, is that companies with the fewest control objectivessafeguards put in place to support security and other policiesare least likely to experience a data loss and most likely to perform well on regulator audits.

For example, businesses with an average of 82 control objectives had 22 or more compliance deficiencies annually and 13 or more data losses and thefts in a year. In comparison, companies with roughly 32 control objectives had two or fewer compliance deficiencies and two or fewer data losses each year.

The primary exception to the findings was among large enterprises with $1 billion or more in revenue. Those companies tend to operate significantly below or above the norm when it comes to protecting sensitive data. Hurley attributes the anomaly to the fact that large companies tend to have multiple annual audits  at least threecompared to one or two in small and midsized companies.

The laggards, he says, appear to be managing compliance efforts without a governance committee and with multiple audit teams that do not share information. Consequently, they may miss opportunities to collapse similar or identical control objectives across audit requirements.

At the same time, the large companies that excel at compliance and data protection tend to have active governance bodies that facilitate communication across the finance, audit and technology departments, according to Hurley, and tend to have fewer control objectives. "Businesses with fewer controls are focusing on managing exceptions rather then spending time and labor trying to manage everything," he says.